Docs Menu
Docs Home
/
MongoDB Enterprise Kubernetes Operator
/

Configure KMIP Backup Encryption for Ops Manager

Ops Manager can encrypt backup jobs. You can use the Kubernetes Operator to configure KMIP backup encryption for Ops Manager. To learn more, see Encrypted Backup Snapshots.

For deployments where the same Kubernetes Operator instance is not managing both the MongoDBOpsManager and MongoDB custom resources, you must manually configure KMIP backup encryption client settings in the MongoDBOpsManager custom resource. This requirement involves including client certificates for each MongoDB database, which you can achieve by overriding the Ops Manager Pod's StatefulSet to mount the certificates. To learn more, see Manually Configure KMIP Backup Encryption.

1

Run the following command:

kubectl -n mongodb create configmap mongodb-kmip-certificate-authority-pem --from-file=ca-pem
2

Configure the spec.backup.encryption.kmip settings.

1 apiVersion: mongodb.com/v1
2 kind: MongoDBOpsManager
3 metadata:
4 name: om-backup-kmip
5 spec:
6 replicas: 1
7 version: 6.0.0
8 adminCredentials: ops-manager-admin-secret
9 backup:
10 encryption:
11 kmip:
12 server:
13 url: kmip.corp.mongodb.com:5696
14 ca: mongodb-kmip-certificate-authority-pem
3
4

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <opsmgr-resource>.yaml
5

Run the following command:

kubectl get om <resource-name> -o yaml -w
6

Run the following command:

kubectl -n mongodb create secret tls mongodb-kmip-client-pem-my-replica-set-client-kmip \
--cert=<path-to-cert-file> \
--key=<path-to-key-file>

The client certificate secret name has the following naming convention inferred from the MongoDB CustomResourceDefinition:

<clientCertificatePrefix>-<objectMeta.name>-client-kmip

clientCertificatePrefix

Human-readable label specified in the spec.backup.encryption.kmip.client.clientCertificatePrefix field of the MongoDB CustomResourceDefinition.

objectMeta.name

Human-readable label specified in the metadata.name field of the MongoDB CustomResourceDefinition.

client-kmip

Fixed suffix that the Kubernetes Operator assumes.

To learn more, see kubernetes.io/tls.

7

Configure the spec.backup.encryption.kmip settings.

1 apiVersion: mongodb.com/v1
2 kind: MongoDB
3 metadata:
4 name: my-replica-set
5 spec:
6 members: 3
7 version: 4.0.20
8 type: ReplicaSet
9 backup:
10 encryption:
11 kmip:
12 client:
13 clientCertificatePrefix: mongodb-kmip-client-pem

To learn more, see deploy a replica set or deploy a sharded cluster.

8
9

Invoke the following kubectl command on the filename of the Ops Manager resource definition:

kubectl apply -f <mdb-database-deployment>.yaml
10

Run the following command:

kubectl get mdb <resource-name> -o yaml -w

Back

Configure Queryable Backups